Compliance is a business. That statement should not come as a shock or even a surprise to anyone who has worked in the corporate world. Every part of a business should work towards doing business. Yet many compliance practitioners and unfortunately some business types see compliance as the Land of No, led by the corporate equivalent of Dr. No.
The Department of Justice (DOJ), in the form of its Compliance Counsel, Hui Chen, has phrased it somewhat differently. In November 2015, at the New York University Program on Corporate Compliance and Enforcement, Chen provided her initial public comments about how she would consider the effectiveness of a compliance program. One of her points was that you should operationalize your compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 with the initiation of the DOJ Pilot Program around FCPA enforcement, under the remediation prong, the DOJ once again emphasized the operationalization of a company’s compliance program as a key metric in determining benefits under the program.
All of this leads me to conclude the DOJ (as well as the Securities and Exchange Commission (SEC)) want to see compliance moved out into the business. This means that Chief Compliance Officers (CCO’s) will need to move past the thinking that simply having a compliance program will be enough to make compliance effective. You must actually be doing compliance going forward. So what are some of the indicia of doing compliance as a business?
Compliance is a service within your organization. You could actually be a part of the profit generator for your company. Just as law departments generate business by doing transactions, compliance can be viewed as delivering services not only to the business unit but also third parties with whom the company does business. This means not only traditional transaction partners such as sales agents, representatives and distributors but also joint venture (JV) partners, teaming partners and others. Compliance can deliver compliance related services to these third parties as a profit center.
Doing compliance means doing business. There are multiple types of risks in a business; operational, regulatory and reputational, just to name a few. The effort to measure and then manage each of these risks can be led by the compliance function. The more efficiently these risks are measured (i.e. assessed) the more easily and efficiently these risks can be managed. This means that the business is not faced with a binary 1/0 or Go/No Go decision on risk but if compliance moved into measuring and the managing risk through the operationalization of compliance into the business unit; the process would help you to do business more efficiently and with greater profitability.
Compliance is a platform to make your company not only a better run organization but can also demonstrate the thoughtfulness and effectiveness of your compliance program should a regulator ever come knocking. Compliance as a business even satisfies the Tom Fox mantra of Document, Document and Document. This is because if you operationalize compliance into the fabric of your organization, compliance internal controls will touch every aspect of the employment experience in a way that is not obtrusive and will not slow down what you are trying to achieve.
Take compliance as a platform in HR. At every point in talent management, HR can insert compliance into the cycle. Those points include the pre-employment interview and screening, the interview process with progressively higher senior management, the initial on-boarding process, the quarterly; semi-annually; annual performance review, annual bonus review, assessment and award, promotions and even exiting of an entity. The platform of compliance can record each of these touch points and you now have an internal control burned into HR which is a compliance internal control. Further, if there is any attempt to circumvent or over-ride one of these HR internal controls involving the hiring of a son or daughter of a foreign governmental official, a red flag can be raised and sent to the compliance function for further review.
Compliance is a marketing platform. Some attention has been paid to the use of compliance as a recruiting and hiring tool for millennials. One of the facts of their generation is they want to work at companies which are seen to be doing business ethically, all the while making money. Moreover, as Ethisphere demonstrates annually with its World’s Most Ethical Company awards, businesses which win those awards, on average, exceed the New York Stock Exchange blue chip average for profitability.
Compliance embraces public advocacy. The Volkswagen (VW) emissions-testing scandal is one of the largest corporate scandals of the past few years. One thing that makes the VW scandal so unique is that it is one of the few scandals where a company’s actions were so transgressive they damaged the reputations of its competitors. As a response to the VW scandal, Ulrich Grillo, President of the German industry association BDI, recognized that compliance is the answer. He urged companies to check their management processes, including compliance and control systems. He suggested one of the key questions to ask should be “Are we doing everything right?” When you have the President of a national industrial association saying compliance is the answer, you need to sit up and take notice.
As we move from the legal based model of compliance to the more mature understandings that compliance may best well be thought of as a business process, we begin to see how compliance can fit seamlessly into a business. This integration will allow a business to move more nimbly and with greater acumen. Compliance has been driven largely by legal requirements. The enactment of the Foreign Corrupt Practices Act in 1977, the implementation of the 1992 US Sentencing Guidelines, the passage of Sarbanes-Oxley in 2002 and Dodd-Frank in 2010 have all led to development and innovation in compliance. Now the DOJ is moving the bar again by talking about the operationalization of compliance and this development will continue to advance the corporate compliance function.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016